A DevOps team has created a Custom Lambda rule in AWS Config. The rule monitors Amazon Elastic Container Repository (Amazon ECR) policy statements for ecr:* actions. When a noncompliant repository is detected, Amazon EventBridge uses Amazon Simple Notification Service (Amazon SNS) to route the notification to a security team.
When the custom AWS Config rule is evaluated, the AWS Lambda function fails to run.
Which solution will resolve the issue?
To resolve the issue where the AWS Lambda function fails to run when the custom AWS Config rule is evaluated, the Lambda function's resource policy needs to be modified to grant AWS Config permission to invoke the function. This allows AWS Config to trigger the Lambda function properly as part of its rule evaluation.
---> A
A. Modify the Lambda function's resource policy to grant AWS Config permission to invoke the function. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:region:account-id:function:function-name" } ] }
Resource policy should allow Config invocation